Graphic Arts Media

How to encrypt your email in Mac OS X’s Mail

Trevor Page

Introduction

Continuing from my last article on computer security, this month I’ll show you how to encrypt and digitally “sign” your e-mail to maintain privacy and security. E-mail, being the oldest Internet technology, still accounts for most of the traffic. But did you know that your e-mail is being transmitted in the “clear”? Anyone with a packet sniffer can read your email! Not very secure for sure.

The version of mail that ships with Mac OS X 10.3 (Panther) and 10.4 (Tiger) has the ability to sign and encrypt e-mail messages. This allows us to encrypt email messages and verify the identity of the sender of a received e-mail message – basically giving you the equivalent of a digital envelope to protect your mail from prying eyes.

I’m providing a step-by-step guide for getting started with using these features in mail. Apple doesn’t advertise this, but it’s really quite simple. Just so you know, Microsoft Entourage can also handle encryption, see “Using Mail” in this article on how to enable it.

The First step: The Digital Certificate

There are several trusted authorities which can validate a person’s identity in the form of a digital certificate.

An e-mail certificate is used to verify that the sender of an e-mail message is indeed the owner of the e-mail address that the message is sent from. You need a digital certificate to be able to sign and encrypt e-mail messages. In this guide, we will get the certificate from Thawte, a South African based company, owned by VeriSign, that offers free e-mail certificates.

Note: You will need to use either Safari in Tiger, or Mozilla in Panther to request and download certificates. Earlier versions of Safari don’t know how to handle the resulting certificate file.

Thawte: Personal E-mail Certificates

Ok, here we go! Head over to http://www.thawte.com/secure-email/personal-email-certificates/index.html and create an account by filling out the form provided when hitting the “join” button.

Pay special attention to provide a secure password for your Thawte account. Use the Keychain Access application provided with Mac OS X to store the password and the “challenge-response” questions you provide, as a “Secure Note.”

Once your account is created, you need to log in to prepare your e-mail addresses and certificate requests.

Thawte: Request A Certificate

Now you’ll need to request a new certificate for the e-mail address you want. But first you need to tell Thawte about the e-mail addresses you have. Click on “new email address” under “my emails” and fill in the details. Do this for each and every e-mail address you wish to obtain a certificate for. Thawte will send a validation e-mail to each account to make sure you’re the legitimate owner of the address. Follow the instructions in each e-mail you receive to “activate” the e-mail address in Thawte.

Once you’ve entered the e-mail addresses, you can request certificates for each one. Click on “request certificate” under “certificates” and click on the X.509 button. Leave the defaults as-in on the next few screens. On the second page, you can select which e-mail addresses you want certificates issued for. You can save some time by telling it to do all of them if you wish.

Accept the default values on each form page. On the last page choose to “Accept Default Extensions.” When proceeding past the sixth page, a keypair will be generated.

Thawte: Certificate Request Status

At first, the status of your new certificates will be “pending” and when the process is finally complete, the certificate’s status will change to “issued.” When the certificate is issued, you can click the link named “Navigator” to be taken to a page where the details of your certificate are presented, and with a “fetch” button to download the certificate.

After you click the fetch button, the download panel will open. Safari may complain about “deliver.exe” being an application. Click “download” to let the certificate come down. Once the download is complete, Safari will automatically launch the Keychain Access application to transfer the certificate. Now you’re ready to start using your new certificates!

If you’re using Panther, Safari will not recognize the certificate, which is why you have to use Mozilla. In Mozilla’s certificate manager, you can export the downloaded certificates and import them manually in Keychain access. Save the certificates with a .cert on the end so Keychain will understand them.

Using Mail

To send a signed e-mail, simply select the sign button (star icon) in the new message window. Similarly, to send an encrypted message, select the encrypt button (lock icon). The buttons show up automatically because mail will match the e-mail address in your account with the certificate it reads from the Keychain. In Microsoft Entourage, you need to click on the security tab in each account you have and select the appropriate certificate (read from the Keychain). Then you can choose to sign and encrypt e-mails in Entourage either automatically or manually.

You should always select both buttons (highlighted in red), if available, unless the recipient of the message has explicitly requested not to receive signed or encrypted messages.

A signed message will allow you to validate the integrity of the message (that it hasn’t been tampered with) and the identity of the sender – but the message is still delivered in clear text, unless also encrypted. An encrypted message will protect the body of the message from prying eyes, but it’s not signed.

If you have a certificate, you can send signed messages to anyone, but you can ONLY send encrypted messages when both you and ALL recipients of the message have certificates.

Mail needs the recipient certificates to encrypt the outgoing message. The easiest way to let Mail know that a recipient has a certificate, and to give Mail access to that certificate, is to have that recipient first send you a signed message (not encrypted, just signed). Mail will automatically store the certificates it receives in the Keychain for future reference.

The encrypt button will not be visible when the recipient doesn’t have a certificate, or if it has one but you don’t have a copy of the certificate stored in your Keychain.

This is what a signed and encrypted message will look like when you’re on the receiving end. The little badge with the checkmark is the seal that ensures that the identity of the sender is known to be correct, and that the message has not been modified since it was signed by the sender.

If Mail can’t verify the message signature (for example, if some text has been added to the message after it was signed), Mail will display a warning to alert the user.

How it works

Encrypting and signing e-mail is easy but under the hood something interesting is happening. When you sign an e-mail the public portion of your encryption certificate is embedded into the email. Mail normally hides this but you can see it if you chose to see “raw source” in an e-mail you’ve sent. This public key is what gets stored on the recipient’s end in their Keychain. Your public certificate contains no passwords or personal data, only the encryption data needed to scramble a message so that ONLY you can read the message when it comes back to you.

When a recipient has a valid certificate as well, when they create a new e-mail or reply to an e-mail you’ve sent, they can choose to encrypt the message so that only you can read it. When you receive the e-mail, Mail automatically will use your private certificate to decrypt the e-mail, since it recognizes the public certificate embedded in the email. It’s totally transparent and automatic. You can look at the raw e-mail if you choose to see “raw source.” You’ll see nothing but gibberish!

Some observations about E-mail client compatibility

Here are a few observations based on my experience with other email clients:

• Outlook XP on Windows can read signed and/or encrypted messages sent from Mail but Mail can’t open messages from Outlook XP that has been both signed and encrypted. However, an attachment will usually be present which you can open in a text editor.

• Netscape 7.01 doesn’t recognize signed messages sent from Mail. Upgrading to Netscape 7.1 solves this problem.

It seems that most of the more popular e-mail clients support digital certificates in their more recent versions. The best way to resolve problems with using digital certificates is probably to make sure that you use up-to-date versions!

Conclusion

Since Apple has made it so easy to protect your e-mail from prying eyes, it makes perfect sense to use this free method to give yourself the upper edge and protect your business and personal communications.


Fatal error: Uncaught TypeError: Cannot access offset of type string on string in /var/www/easywp-plugin/wp-nc-easywp/vendor/wpbones/wpbones/src/Database/WordPressOption.php:141 Stack trace: #0 /var/www/easywp-plugin/wp-nc-easywp/plugin/Http/Varnish/VarnishCache.php(296): WPNCEasyWP\WPBones\Database\WordPressOption->set() #1 /var/www/wptbox/wp-includes/class-wp-hook.php(308): WPNCEasyWP\Http\Varnish\VarnishCache->doPurge() #2 /var/www/wptbox/wp-includes/class-wp-hook.php(332): WP_Hook->apply_filters() #3 /var/www/wptbox/wp-includes/plugin.php(517): WP_Hook->do_action() #4 /var/www/wptbox/wp-includes/load.php(1124): do_action() #5 [internal function]: shutdown_action_hook() #6 {main} thrown in /var/www/easywp-plugin/wp-nc-easywp/vendor/wpbones/wpbones/src/Database/WordPressOption.php on line 141